bug-1898800: fix csrf token storage

This changes Crash Stats to store the csrf token in the session rather
than in the cookie.

This also adjusts the order of the middleware per Django's documented
conventions.

webapp/crashstats/settings/base.py

@@ -126,13 +126,13 @@ def path(*dirs):
     # CORS needs to go before other response-generating middlewares
     "corsheaders.middleware.CorsMiddleware",
     "whitenoise.middleware.WhiteNoiseMiddleware",
-    "django.middleware.common.CommonMiddleware",
     "django.contrib.sessions.middleware.SessionMiddleware",
+    "django.middleware.common.CommonMiddleware",
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "crashstats.tokens.middleware.APIAuthenticationMiddleware",
-    "django.middleware.csrf.CsrfViewMiddleware",
     "mozilla_django_oidc.middleware.SessionRefresh",
     "django.contrib.messages.middleware.MessageMiddleware",
+    "django.middleware.csrf.CsrfViewMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     # If you run crashstats behind a load balancer, your `REMOTE_ADDR` header
     # will be that of the load balancer instead of the actual user. The
@@ -491,6 +491,7 @@ def filter(self, record):
 )
 
 CSRF_COOKIE_NAME = "crashstatscsrfcookie"
+CSRF_USE_SESSIONS = True
 
 SESSION_COOKIE_SECURE = _config(
     "SESSION_COOKIE_SECURE",